Weak Password Recovery Mechanism for Forgotten Password

CVE-2021-44839

Medium

4/10

Summary

An issue was discovered in Delta RM 1.2. It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, a user can send a JSON array with user IDs that will have their passwords reset (and new ones sent to their respective e-mail addresses).

Access Complexity: LOW
AccessVector: NETWORK
Authentication: SINGLE
Integrity Impact: PARTIAL
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-640 - Weak Password Recovery Mechanism for Forgotten Password

The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

References

Advisory Timeline

Published Jan 18, 2022

Weak Password Recovery Mechanism for Forgotten Password

CVE-2021-44839

Summary

CWE-640 - Weak Password Recovery Mechanism for Forgotten Password

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS